List Building & Retention

GDPR & List Building: the Essential Guide

Minute read
GDPR & List Building: the Essential Guide

The General Data Protection Regulation (commonly, GDPR) came into effect in May 2018. It impacts all businesses and organizations, everywhere in the world, that collect and process data from EU citizens. Meaning, it impacts most of us. The philosophy is pretty great—to better protect data, security, and privacy.

GDPR makes organizations accountable to a range of digital policies covering disclosures, security, and data handling. For the most part, these things are good for everyone. However, two areas where specific GDPR requirements can hurt more than help is your web form conversion rates and list building strategy.

We’ll look at ways to minimize that harm. But first—let’s take a closer look at the problem.

GDPR conflicts with web usability in two ways

  1. Form simplification conflict: GDPR forces users to actively check a box to indicate that they have read your privacy policy before they can submit their personal details anywhere on your site. This can turn a simple interaction into an incredibly arduous one. ‘Checkbox fatigue’ is the unintended consequence of this requirement. Most people are likely to either: check the box without reading your policy, or not check the box and abandon the form. This ‘high barrier’ will hurt conversion rates on action forms and donation forms.
  2. List entry streamlining conflict: Our brains have a cognitive bias for default options. If we want to subtly encourage supporters to join our email list, it pays to pre-check opt in checkboxes. However, many organizations have interpreted GDPR requirements to mean that opt in checkboxes must be unchecked by default. This will negatively bias choice against joining your list and harm your list building efforts.

While well-intentioned, these measures can harm your conversion rates—which harms your campaign, list-building, and fundraising efforts—which harms animals.

You really have no choice but to serve GDPR-compliant web forms to supporters in the EU. However, it’s entirely up to you whether to extend these restrictions to everyone. Of course, a one-size-fits-all approach may be easiest to implement. But if many of your supporters live outside the EU, forcing all visitors to use GDPR-compliant forms can be costly to your mission.

Decision time: Global Standard or EU-Isolation Strategy?

When it comes to implementing GDPR, organizations have two choices: a global standard strategy, or an EU-specific (geo-isolation) strategy. There are pros and cons to geo-isolation.


  • Retain greater control over how to handle more of your data and web user experiences


  • A lot of work and double-handling
  • It’s expected that other regions will adopt similar standards in future which will create more complexity

It’s hard to make a case for maintaining two entirely separate approaches to the management of personal data. Most of what GDPR requires—user data access rights and robust security measures—is universally positive, after all. However, if you are protective of conversion rates, it makes a lot of sense to consider a dual approach for web forms. Geo-fencing can allow you to keep your web forms compliant within the EU, whilst containing the harm that GDPR does to conversion and list building efforts elsewhere.

Fast-track your digital strategy learning curve.

Free  eBook

Geo-fencing your GDPR form elements

Geo-fencing is the practice of serving region-specific web content to visitors based on their location. This simple coding principle makes it easy to isolate where your GDPR forms appear. If you’re new to this technique, follow these steps to create a simple geo-fence.

With your EU geo-fence in place, here’s what the end of a form might look like to supporters within the EU:

GDPR geo-fencing example

And to everyone else:

GDPR geo-fencing example

Pro tip: keep the code re-usable and modular—use a single function to define your GDPR geo-boundary throughout your site. That way you can easily accommodate any future expansion of GDPR-style regulations in other jurisdictions.

Please appreciate that this is a simple coding principle—not legal advice. It’s worth noting that some organizations have interpreted the GDPR requirements slightly differently. If you’re unsure about how GDPR applies to you, it’s a good idea to seek legal advice.

Get a free weekly digital strategy tip:

Name Email
privacy policy.

We respect your data. View the privacy policy.

Unsubscribe any time. We respect your data. View the privacy policy.

Karen Nilsen

Hi there! I’m Karen. I’m on a mission to reach my former self. Had I known 10 years ago what I know today, I could have achieved more good, made fewer mistakes, and had more weekends. Every time we share what works, we win faster. Let’s create digital experiences that move people — that grow our base and fuel our movements. Are you with me? Please share this with someone you know who wants to up their digital game!

Like this tip? Share it!